summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Correctly clear the current cipher state, when changing cipher state.jsing2018-09-053-41/+37
| | | | | | | | | | | | | | | | | When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures. Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions. Issue reported by Bernard Spil, who also tested this diff. ok tb@
* use timing-safe compares for checking results in signature verificationdjm2018-09-054-9/+10
| | | | | | (there are no known attacks, this is just inexpensive prudence) feedback and ok tb@ jsing@
* Stop using composite EVP_CIPHER AEADs.jsing2018-09-031-25/+7
| | | | | | | | | | | The composite AEADs are "stitched" mode ciphers, that are only supported on some architectures/CPUs and are designed to be faster than a separate EVP_CIPHER and EVP_MD implementation. The three AEADs are used for less than ideal cipher suites (if you have hardware support that these use there are better cipher suite options), plus continuing to support AEADs via EVP_CIPHER is creating additional code complexity. ok inoguchi@ tb@
* Stop handling AES-GCM via ssl_cipher_get_evp().jsing2018-09-031-20/+3
| | | | | | | All of the AES-GCM ciphersuites use the EVP_AEAD interface, so there is no need to support them via EVP_CIPHER. ok inoguchi@ tb@
* Clean up SSL_DES and SSL_IDEA remnants.jsing2018-09-031-41/+13
| | | | | | | All ciphersuites that used these encryption algorithms were removed some time ago. ok bcook@ inoguchi@ tb@
* Remove a few unnecessary caststb2018-09-021-5/+5
|
* Print SKIPPED if package wycheproof-testvectors is missing. Thisbluhm2018-09-021-2/+2
| | | | | is the magic string that is recognized by my test framework. OK tb@
* Remove ECDH from TODO list. Done!tb2018-09-021-2/+1
|
* Unify FAIL printfs.tb2018-09-021-8/+8
|
* After libcrypto/ecdh/ech_key.c -r1.8 fixed the failing test cases, removetb2018-09-021-13/+3
| | | | two noisy INFO and reorder things a bit.
* Elliptic curve arithmetic only makes sense between points that belong totb2018-09-021-1/+5
| | | | | | | | | | | | the same curve. Some Wycheproof tests violate this assumption, making ECDH_compute_key() compute and return garbage. Check that pub_key lies on the curve of the private key so that the calculations make sense. Most paths that get here have this checked (in particular those from OpenSSH and libssl), but one might get here after using d2i_* or manual computation. discussed with & ok jsing; "good catch!" markus
* Run Wycheproof ECDH tests against libcrypto. Some tests currently fail,tb2018-09-021-1/+154
| | | | will be fixed with the next commit to libcrypto.
* Use a Boolean rather than repeated string comparison.tb2018-09-021-3/+5
|
* Tweak comment.tb2018-09-011-5/+2
|
* Remove RSA-PSS from todo-listtb2018-09-011-2/+2
|
* Run Wycheproof RSASSA-PSS testvectors against libcrypto.tb2018-09-011-2/+144
|
* Remove unused argument to tls1_change_cipher_state_cipher().jsing2018-08-311-7/+4
|
* Instead of enumerating the files to clean by hand, set PROGS=${TESTS}.tb2018-08-312-5/+7
| | | | Suggested by jsing
* Make sure to clean up the .d files with 'make clean'tb2018-08-301-2/+2
|
* Nuke ssl_pending/ssl_shutdown function pointers.jsing2018-08-309-56/+14
| | | | | | | ssl3_pending() is used for all protocols and dtls1_shutdown() just calls ssl3_shutdown(), so just call the appropriate function directly instead. ok beck@ inoguchi@ tb@
* AES is now done also.tb2018-08-291-3/+3
|
* Pass algorithm as a string to all *TestGroup functions for consistency.tb2018-08-291-22/+22
|
* Run Wycheproof AES-GCM testvectors against libcrypto.tb2018-08-291-42/+83
|
* Calculate and check tag during AES-CCM encryption test.tb2018-08-291-1/+25
|
* typotb2018-08-291-2/+2
|
* Don't fatal on keys of invalid sice, just print an INFO.tb2018-08-291-2/+3
|
* Run Wycheproof AES-CMAC testvectors against libcrypto.tb2018-08-281-2/+116
|
* remove some extra parens and fix some other formatting issuestb2018-08-281-17/+17
| | | | pointed out by gofmt (thanks anton)
* Remove extra "and" in "These functions and have been available"tb2018-08-281-3/+3
|
* zap trailing whitespacetb2018-08-281-7/+7
|
* Drop SSLv2, SSLv3 support.cheloha2018-08-281-6/+2
| | | | | | | No need to check for SSLv2/3 sessions when printing the tally mark. Also do SSLv23_client_method -> TLS_client_method. ok jsing@
* Check for SSL_write(3) error.cheloha2018-08-281-3/+4
| | | | | | | | | | jsing@ notes that this is not a complete solution, as we don't account for retries or partial writes, but that this is a step in a right direction. May want to revisit this later to provide a complete solution. ok jsing@
* tweak failure messagestb2018-08-271-9/+9
|
* dedup AES-CBC-PKCS5 encryption and decryption checkstb2018-08-271-66/+24
|
* 2x missing "..."tb2018-08-271-3/+3
|
* Run Wycheproof AES-CCM testvectors against libcrypto.tb2018-08-271-2/+200
|
* n2s and l2n3 finally bite the dust!jsing2018-08-271-7/+1
|
* Convert ssl3_get_cert_verify() to CBS and clean up somewhat.jsing2018-08-271-74/+72
| | | | ok inoguchi@
* Dedup DTLS header writing code and convert to CBB.jsing2018-08-271-25/+35
| | | | | | | | | There are three versions of the DTLS header writing code, which primarily differ by the fragment offset and fragment length values that differ. Rework dtls1_write_message_header() such that it can be used in all three cases and convert it to CBB in the process. ok inoguchi@ tb@
* Add some missing statics.jsing2018-08-272-5/+5
|
* Simplify new session ticket encoding/generation.jsing2018-08-273-84/+90
| | | | | | | | | | | The original code did a crazy encode/malloc/encode/decode/modify/encode dance, in order to encode a session in the form needed to encrypt then add to a session ticket. By modifying the encoding functions slightly, we can do this entire dance as a single encode. Inspired by similar changes in BoringSSL. ok inoguchi@ tb@
* Fix formatting and grammatical issues with the description of how to usejsing2018-08-271-19/+17
| | | | | | | i2d_SSL_SESSION. Also rework the example code so that it is clearer and uses more appropriate names. Input from and ok schwarze@, tb@
* Add protocol and cipher patterns in regress appstest.shinoguchi2018-08-271-18/+88
|
* fix the same "an non" issue found by tb in EVP_EncryptInit.3;jmc2018-08-261-3/+3
|
* Check return value of EVP_CipherInit_ex()tb2018-08-261-6/+15
|
* Run Wycheproof AES-CBC-PKCS5 testvectors against libcrypto.tb2018-08-261-1/+189
|
* Remove some redundant info from log.Fatalftb2018-08-261-2/+2
|
* simplify returned valuetb2018-08-261-2/+2
|
* Some of the functions in this manual need <openssl/dsa.h>, otherstb2018-08-261-3/+45
| | | | | | | | | need <openssl/x509.h>. The functions {d2i,i2d}_DSA_params_{bio,fp}(3) were missing from the manual, so document them. The return values of the i2d_* functions are left undocumented, as these still need to be audited. ok schwarze (lots of input and help as usual)
* typo: an nonce -> a noncetb2018-08-261-3/+3
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:49:14 +0000